From c7a7d298133b9df8ca3f341bdee47e02cb54cc51 Mon Sep 17 00:00:00 2001
From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 2 Jan 2019 17:40:43 +0100
Subject: [PATCH 1/1] Require terms agreement for abilities and capabilities
 related to api write methods

---
 app/abilities/ability.rb                      |  5 +-
 app/abilities/capability.rb                   |  5 +-
 .../changeset_comments_controller_test.rb     | 69 +++++++++++++++++++
 3 files changed, 77 insertions(+), 2 deletions(-)

diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb
index d0e0b65d7..1fcf6cbee 100644
--- a/app/abilities/ability.rb
+++ b/app/abilities/ability.rb
@@ -16,13 +16,16 @@ class Ability
 
     if user
       can :welcome, :site
-      can :create, ChangesetComment
       can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry
       can [:close, :reopen], Note
       can [:new, :create], Report
       can [:account, :go_public, :make_friend, :remove_friend, :api_details, :api_gpx_files], User
       can [:read, :read_one, :update, :update_one, :delete_one], UserPreference
 
+      if user.terms_agreed? || !REQUIRE_TERMS_AGREED # rubocop:disable Style/IfUnlessModifier
+        can :create, ChangesetComment
+      end
+
       if user.moderator?
         can [:destroy, :restore], ChangesetComment
         can [:index, :show, :resolve, :ignore, :reopen], Issue
diff --git a/app/abilities/capability.rb b/app/abilities/capability.rb
index 6aa1c418c..ae30a0ebd 100644
--- a/app/abilities/capability.rb
+++ b/app/abilities/capability.rb
@@ -4,13 +4,16 @@ class Capability
   include CanCan::Ability
 
   def initialize(token)
-    can :create, ChangesetComment if capability?(token, :allow_write_api)
     can [:create, :comment, :close, :reopen], Note if capability?(token, :allow_write_notes)
     can [:api_details], User if capability?(token, :allow_read_prefs)
     can [:api_gpx_files], User if capability?(token, :allow_read_gpx)
     can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs)
     can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs)
 
+    if token&.user&.terms_agreed? || !REQUIRE_TERMS_AGREED
+      can :create, ChangesetComment if capability?(token, :allow_write_api)
+    end
+
     if token&.user&.moderator?
       can [:destroy, :restore], ChangesetComment if capability?(token, :allow_write_api)
       can :destroy, Note if capability?(token, :allow_write_notes)
diff --git a/test/controllers/changeset_comments_controller_test.rb b/test/controllers/changeset_comments_controller_test.rb
index 10dfb1f88..2b661a7a9 100644
--- a/test/controllers/changeset_comments_controller_test.rb
+++ b/test/controllers/changeset_comments_controller_test.rb
@@ -248,4 +248,73 @@ class ChangesetCommentsControllerTest < ActionController::TestCase
     get :index, :params => { :format => "rss", :limit => 100001 }
     assert_response :bad_request
   end
+
+  # This test ensures that token capabilities behave correctly for a method that
+  # requires the terms to have been agreed.
+  # (This would be better as an integration or system testcase, since the changeset_comment
+  # create method is simply a stand-in for any method that requires terms agreement.
+  # But writing oauth tests is hard, and so it's easier to put in a controller test.)
+  def test_api_write_and_terms_agreed_via_token
+    with_terms_agreed(true) do
+      user = create(:user, :terms_agreed => nil)
+      token = create(:access_token, :user => user, :allow_write_api => true)
+      changeset = create(:changeset, :closed)
+
+      # Hack together an oauth request - an alternative would be to sign the request properly
+      @request.env["oauth.version"] = 1
+      @request.env["oauth.strategies"] = [:token]
+      @request.env["oauth.token"] = token
+
+      assert_difference "ChangesetComment.count", 0 do
+        post :create, :params => { :id => changeset.id, :text => "This is a comment" }
+      end
+      assert_response :forbidden
+
+      # Try again, after agreement with the terms
+      user.terms_agreed = Time.now
+      user.save!
+
+      assert_difference "ChangesetComment.count", 1 do
+        post :create, :params => { :id => changeset.id, :text => "This is a comment" }
+      end
+      assert_response :success
+    end
+  end
+
+  # This test does the same as above, but with basic auth, to similarly test that the
+  # abilities take into account terms agreement too.
+  def test_api_write_and_terms_agreed_via_basic_auth
+    with_terms_agreed(true) do
+      user = create(:user, :terms_agreed => nil)
+      changeset = create(:changeset, :closed)
+
+      basic_authorization user.email, "test"
+
+      assert_difference "ChangesetComment.count", 0 do
+        post :create, :params => { :id => changeset.id, :text => "This is a comment" }
+      end
+      assert_response :forbidden
+
+      # Try again, after agreement with the terms
+      user.terms_agreed = Time.now
+      user.save!
+
+      assert_difference "ChangesetComment.count", 1 do
+        post :create, :params => { :id => changeset.id, :text => "This is a comment" }
+      end
+      assert_response :success
+    end
+  end
+
+  private
+
+  def with_terms_agreed(value)
+    require_terms_agreed = Object.send("remove_const", "REQUIRE_TERMS_AGREED")
+    Object.const_set("REQUIRE_TERMS_AGREED", value)
+
+    yield
+
+    Object.send("remove_const", "REQUIRE_TERMS_AGREED")
+    Object.const_set("REQUIRE_TERMS_AGREED", require_terms_agreed)
+  end
 end
-- 
2.43.2